PYSEC-2026-1301

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/django-tinymce/PYSEC-2026-1301.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1301
Aliases
Published
2026-07-07T14:34:34.937384Z
Modified
2026-07-07T17:46:38.036836600Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L CVSS Calculator
Summary
TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
Details

Impact

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditable_regexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor.

Patches

This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the noneditable_regexp option, any content within an attribute is properly verified to match the configured regular expression before being added.

Fix

To avoid this vulnerability:

  • Upgrade to TinyMCE 7.2.0 or higher.
  • Upgrade to TinyMCE 6.8.4 or higher for TinyMCE 6.x.
  • Upgrade to TinyMCE 5.11.0 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).

References

For more information

If you have any questions or comments about this advisory:

References

Affected packages

PyPI / django-tinymce

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.0

Affected versions

1.*
1.0
1.1
1.2
1.3
1.4
1.4.1
1.5
1.5.1.dev100
1.5.1.dev101
1.5.1a1
1.5.1a2
1.5.1a3
1.5.1b1
1.5.1b2
1.5.1b3
1.5.1b4
1.5.1
1.5.2
1.5.3
1.5.4
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.1.0
2.2.0
2.3.0
2.4.0
2.5.0
2.6.0
2.6.1
2.7.0
2.7.1
2.8.0
2.9.0
3.*
3.0.1
3.0.2
3.1.0
3.2.0
3.3.0
3.4.0
3.5.0
3.6.0
3.6.1
3.7.0
3.7.1
4.*
4.0.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/django-tinymce/PYSEC-2026-1301.yaml"